In this blog I am going to walk you through the Hackmyvm HERO machine.
Enumeration: Let’s start by numeration using nmap scan. nmap shows only couple of open ports 80 and 5678.
Let’s visit both the ports in browser so check what is actually running. Port 80 has private key.
I will keep this is mind. Let’s visit another port i.e. 5678 it shows below page.
To know more about the n8n please see this page. I will create user and login into the application.
I spend lots of time enumerating and understanding the working of application. So we need to create a work flow and after that I selected code.
When I checked in code, we can use either javascript or python. I choose python.
So this is a good attack surface, which allow us to execute system code on back-end system using code execution. I use OS module and when it executed given command it return 0 for success and non-zero integer for failure. For example 0 for ls and integer for some random command.
So lets see if nc (netcat) is available on system using above logic. We are lucky netcat is present.
Remote shell:
Let’s start the listener on kali machine and use nc from victim to give us reverse shell. I got the reverse shell
After enumerating further, I found that I am in a docker container.
I used deepsee, linpeas etc but no luck. I checked IP address of the container we are in and it is 172.7.0.2. Which means the host has 172.16.0.1
It looks like port 22 is open on host OS
To get the access, we need to tunnel and for that I used Chisel. Lets download it on victim machine.
On victim machine use the chisel in client mode and on attacker it should on server mode. We are using reverse port forwarding.
Now we need a key or password to ssh into the box. From initial enumeration on port 80 we discovered SSH private key lets use that.
We also need username to ssh, we can get that by decoding above key.
Again I use linpeas to find vector for privilege escalation. But this did not provided any result.
The text ‘shaw was here’ is the same text which I saw when we ssh into the machine. As I checked the permission of the file /opt/banner.txt, all have read and write permission on this file. This means we replace it with some other file. Now we have two options:
- Just to read the root flag in /root/root.txt
- Read /etc/shadow file to get access to password hashes.
Let’s first just read the root flag. For that I have created a symbolic link.
I disconnected the previous SSH connection and re-login using SSH again and got the root flag.
Now to read the /etc/shadow file, create a symbolic link to /etc/shadow file.
This gives us the password, lets use that to login as root.
This is really a good machine. See you sson with another one.
